Consider installing URLScan on your IIS servers to protect against SQL Injection.
Also, for protecting against XSS attacks, I would use MSFT's AntiXSS library instead of the built to encode output instead of the built in HtmlEncode found in HttpServerUtility.
